Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 18:17

General

  • Target

    lpk.dll

  • Size

    46KB

  • MD5

    149695dd08b7389308b0d0bfb40f47b7

  • SHA1

    22082f21d78e21b24623ecb06d13fd15fa53ca3b

  • SHA256

    a1eb4f7ab9832baf68862cdfa2ae4c2571880af513d9e942f70c781e22cf4ba9

  • SHA512

    f65fe00bb21b80da14a5544970cbb2493b92747aefbd1f33355f3154092fe931b663440bd65d2bec7645f54ee3556825239a4f3bc9ec434c02d728f836f07e18

  • SSDEEP

    768:hojY9PKi9eebwtwGYNrihCp2+UGj0W3eE1Y2ahjKQyzkojY9Po:0mJeebwtwLp27GjV3P1Yd2QyzVmg

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Users\Admin\AppData\Local\Temp\hrl6F59.tmp
        C:\Users\Admin\AppData\Local\Temp\hrl6F59.tmp
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:3516
  • C:\Windows\SysWOW64\kyrvan.exe
    C:\Windows\SysWOW64\kyrvan.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    PID:3612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hrl6F59.tmp

    Filesize

    38KB

    MD5

    51bca8b89d54e7b9f8ccd310425a50b2

    SHA1

    ce5d59db5d626b4757703c4cf05522dc213d99ec

    SHA256

    d00ed6db20a01540b63f1889abf9c4371d1a87154a686c32b0a9efdc016f44c9

    SHA512

    6f93c45acabe545571d671536aa5d917cfdd790ec8fc817cbd670b72edade654f5b9532b08fa433b27c783aafbc3f76c938f54f13407491ec2ab09da7b440e2e

  • C:\Users\Admin\AppData\Local\Temp\hrl6F59.tmp

    Filesize

    38KB

    MD5

    51bca8b89d54e7b9f8ccd310425a50b2

    SHA1

    ce5d59db5d626b4757703c4cf05522dc213d99ec

    SHA256

    d00ed6db20a01540b63f1889abf9c4371d1a87154a686c32b0a9efdc016f44c9

    SHA512

    6f93c45acabe545571d671536aa5d917cfdd790ec8fc817cbd670b72edade654f5b9532b08fa433b27c783aafbc3f76c938f54f13407491ec2ab09da7b440e2e

  • C:\Windows\SysWOW64\hra33.dll

    Filesize

    46KB

    MD5

    149695dd08b7389308b0d0bfb40f47b7

    SHA1

    22082f21d78e21b24623ecb06d13fd15fa53ca3b

    SHA256

    a1eb4f7ab9832baf68862cdfa2ae4c2571880af513d9e942f70c781e22cf4ba9

    SHA512

    f65fe00bb21b80da14a5544970cbb2493b92747aefbd1f33355f3154092fe931b663440bd65d2bec7645f54ee3556825239a4f3bc9ec434c02d728f836f07e18

  • C:\Windows\SysWOW64\kyrvan.exe

    Filesize

    38KB

    MD5

    51bca8b89d54e7b9f8ccd310425a50b2

    SHA1

    ce5d59db5d626b4757703c4cf05522dc213d99ec

    SHA256

    d00ed6db20a01540b63f1889abf9c4371d1a87154a686c32b0a9efdc016f44c9

    SHA512

    6f93c45acabe545571d671536aa5d917cfdd790ec8fc817cbd670b72edade654f5b9532b08fa433b27c783aafbc3f76c938f54f13407491ec2ab09da7b440e2e

  • C:\Windows\SysWOW64\kyrvan.exe

    Filesize

    38KB

    MD5

    51bca8b89d54e7b9f8ccd310425a50b2

    SHA1

    ce5d59db5d626b4757703c4cf05522dc213d99ec

    SHA256

    d00ed6db20a01540b63f1889abf9c4371d1a87154a686c32b0a9efdc016f44c9

    SHA512

    6f93c45acabe545571d671536aa5d917cfdd790ec8fc817cbd670b72edade654f5b9532b08fa433b27c783aafbc3f76c938f54f13407491ec2ab09da7b440e2e

  • memory/1884-132-0x0000000000000000-mapping.dmp

  • memory/3516-133-0x0000000000000000-mapping.dmp